The Internet of Things (IoT) is pushing full steam ahead through 2018, and it is already understood that the IoT is transforming businesses through Smart innovation and operational efficiencies, which extend far into our daily lives. Large organizations such as Microsoft, Amazon and PTC have already invested billions in the IoT and continue to do so with their IoT platform offerings. However, there are still a few challenges affecting project deployments, particularly in the area of security and risk. Implementing a credible IoT security approach is one thing, but of equal importance is the ongoing operational management of security credentials and operations, especially for large IoT device roll outs that may consist of hundreds of thousands of devices.

Protecting IoT Platforms

It is critical to protect the IoT application platform from malicious devices that could potentially supply polluted data, render datasets useless and compromise entire systems. Enabling security on a handful of devices is one thing but enabling security on thousands of devices can be quite another, let alone the on-going management of the security on tens of thousands of devices. An operational nightmare and a big headache for anyone if that's in your job description!

IoT demands a new approach to Security for IoT Scale

Simply put, traditional IT security cannot be applied to IoT. For example, with HTTP/S and traditional web browsing, the server determines the authenticity of the user through incoming username and password (in simple terms), and the user (e.g. browser) determines the authenticity of the server through CA signed certificates. This is a scalable model in the sense that the server does not need to provision credentials (e.g. usernames and password) to the millions of users. Users take care of this themselves, e.g. when signing up to a service.

However, for IoT it is different as IoT devices are not humans. For example, how does an IoT platform verify the authenticity of 10,000 headless IoT devices, when the device has no associated user to enter a user name and a password?

All of a sudden, we have a provisioning challenge. The 10,000 devices must have credentials that they can present to the IoT platform to authenticate themselves, similarly to how a user signs into a webpage with username and password. The device credentials could for example be in the form of a tokens, certificates, app keys etc.

If the IoT platform (e.g. Azure IoT Hub) demands token authentication, each of the 10,000 devices need a token to authenticate to the platform. This potentially means that not only do you need a provisioning solution in place to generate and provision tokens, but also a way to rotate such tokens before they expire. If the tokens are not renewed, thousands of devices that feed critical data to the system, will simply fail to authenticate and will be denied access to the platform.

Similar provisioning challenges also apply to data confidentiality, where large system deployments or regulations demand rotation of crypto keys to keep sensitive data encrypted in motion and at rest.

The Industrial Internet of Things (IIoT), and smart factories in particular is one vertical where security becomes an increasingly important issue over traditional factories which are not smart/connected. Secure device management at IoT scale is critical to prevent system failure that results in physical damage to property or human injury/fatality.

Check out the Advanced Manufacturing Research Centre which hosts Factory 2050, the UK’s first fully reconfigurable assembly and component manufacturing facility for collaborative research. PTC leverages the AMRC to build demonstrators to showcase industrial IoT applications, with a view to shorten sales cycles. A continuous collaborative effort is being made to integrate Device Authority’s KeyScaler platform into new and existing demonstrators.

Automation

If the IoT platform demands mutual TLS (e.g. AWS IoT) for two-way authentication, there is another challenge because 10,000 unique certificates need to be generated and provisioned, not only to the device, but also to the IoT Platform. Certificate expiry, rotation, revocation are all security operations that needs to be managed, and for such a large number of devices, this is complex, time consuming and expensive.

A software-based solution that can automate security operations at scale in a secure manner will be critical to the success of IoT implementations. The sooner it is integrated/built in, the better the experience for the customer / end user.